Use-after-free vulnerability in Mozilla Firefox 10.x before 10.0.1, Thunderbird 10.x before 10.0.1, and SeaMonkey 2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger failure of an nsXBLDocumentInfo::ReadPrototypeBindings function call, related to the cycle collector's access to a hash table containing a stale XBL binding.

SeaMonkey was updated to 2.7.1 to fix critical bugs and security issue.

Following security issue was fixed: CVE-2012-0452: Mozilla developers Andrew McCreight and Olli Pettay found that ReadPrototypeBindings will leave a XBL binding in a hash table even when the function fails. If this occurs, when the cycle collector reads this hash table and attempts to do a virtual method on this binding a crash will occur.
This crash may be potentially exploitable.

Firefox 9 and earlier are not affected by this vulnerability.

https://www.mozilla.org/security/announce/2012/mfsa2012-10.html

MozillaFirefox was updated to 10.0.1 to fix critical bugs and security issue.

Following security issue was fixed: CVE-2012-0452: Mozilla developers Andrew McCreight and Olli Pettay found that ReadPrototypeBindings will leave a XBL binding in a hash table even when the function fails. If this occurs, when the cycle collector reads this hash table and attempts to do a virtual method on this binding a crash will occur.
This crash may be potentially exploitable.

Firefox 9 and earlier are not affected by this vulnerability.

https://www.mozilla.org/security/announce/2012/mfsa2012-10.html

Changes in MozillaFirefox :

  - update to Firefox 10.0.1 (bnc#746616)

  - MFSA 2012-10/CVE-2012-0452 (bmo#724284) use after free     in nsXBLDocumentInfo::ReadPrototypeBindings

  - Use YARR interpreter instead of PCRE on platforms where     YARR JIT is not supported, since PCRE doesnt build     (bmo#691898)

  - fix ppc64 build (bmo#703534)

Changes in MozillaThunderbird :

  - update to version 10.0.1 (bnc#746616)

  - MFSA 2012-10/CVE-2012-0452 (bmo#724284) use after free     in nsXBLDocumentInfo::ReadPrototypeBindings

  - Use YARR interpreter instead of PCRE on platforms where     YARR JIT is not supported, since PCRE doesnt build     (bmo#691898)

  - fix ppc64 build (bmo#703534)

Changes in seamonkey :

  - update to SeaMonkey 2.7.1 (bnc#746616)

  - MFSA 2012-10/CVE-2012-0452 (bmo#724284) use after free     in nsXBLDocumentInfo::ReadPrototypeBindings

  - Use YARR interpreter instead of PCRE on platforms where     YARR JIT is not supported, since PCRE doesnt build     (bmo#691898)

  - fix ppc64 build (bmo#703534)

Changes in xulrunner :

  - update to version 10.0.1 (bnc#746616)

  - MFSA 2012-10/CVE-2012-0452 (bmo#724284) use after free     in nsXBLDocumentInfo::ReadPrototypeBindings

  - Use YARR interpreter instead of PCRE on platforms where     YARR JIT is not supported, since PCRE doesnt build     (bmo#691898)

  - fix ppc64 build (bmo#703534)

Changes in xulrunner :

  - update to 12.0 (bnc#758408)

  - rebased patches

  - MFSA 2012-20/CVE-2012-0467/CVE-2012-0468 Miscellaneous     memory safety hazards

  - MFSA 2012-22/CVE-2012-0469 (bmo#738985) use-after-free     in IDBKeyRange

  - MFSA 2012-23/CVE-2012-0470 (bmo#734288) Invalid frees     causes heap corruption in gfxImageSurface

  - MFSA 2012-24/CVE-2012-0471 (bmo#715319) Potential XSS     via multibyte content processing errors

  - MFSA 2012-25/CVE-2012-0472 (bmo#744480) Potential memory     corruption during font rendering using cairo-dwrite

  - MFSA 2012-26/CVE-2012-0473 (bmo#743475)     WebGL.drawElements may read illegal video memory due to     FindMaxUshortElement error

  - MFSA 2012-27/CVE-2012-0474 (bmo#687745, bmo#737307) Page     load short-circuit can lead to XSS

  - MFSA 2012-28/CVE-2012-0475 (bmo#694576) Ambiguous IPv6     in Origin headers may bypass webserver access     restrictions

  - MFSA 2012-29/CVE-2012-0477 (bmo#718573) Potential XSS     through ISO-2022-KR/ISO-2022-CN decoding issues

  - MFSA 2012-30/CVE-2012-0478 (bmo#727547) Crash with WebGL     content using textImage2D

  - MFSA 2012-31/CVE-2011-3062 (bmo#739925) Off-by-one error     in OpenType Sanitizer

  - MFSA 2012-32/CVE-2011-1187 (bmo#624621) HTTP     Redirections and remote content can be read by     JavaScript errors

  - MFSA 2012-33/CVE-2012-0479 (bmo#714631) Potential site     identity spoofing when loading RSS and Atom feeds

  - added mozilla-libnotify.patch to allow fallback from     libnotify to xul based events if no notification-daemon     is running

  - gcc 4.7 fixes

  - mozilla-gcc47.patch

  - disabled crashreporter temporarily for Factory

Changes in MozillaFirefox :

  - update to Firefox 12.0 (bnc#758408)

  - rebased patches

  - MFSA 2012-20/CVE-2012-0467/CVE-2012-0468 Miscellaneous     memory safety hazards

  - MFSA 2012-22/CVE-2012-0469 (bmo#738985) use-after-free     in IDBKeyRange

  - MFSA 2012-23/CVE-2012-0470 (bmo#734288) Invalid frees     causes heap corruption in gfxImageSurface

  - MFSA 2012-24/CVE-2012-0471 (bmo#715319) Potential XSS     via multibyte content processing errors

  - MFSA 2012-25/CVE-2012-0472 (bmo#744480) Potential memory     corruption during font rendering using cairo-dwrite

  - MFSA 2012-26/CVE-2012-0473 (bmo#743475)     WebGL.drawElements may read illegal video memory due to     FindMaxUshortElement error

  - MFSA 2012-27/CVE-2012-0474 (bmo#687745, bmo#737307) Page     load short-circuit can lead to XSS

  - MFSA 2012-28/CVE-2012-0475 (bmo#694576) Ambiguous IPv6     in Origin headers may bypass webserver access     restrictions

  - MFSA 2012-29/CVE-2012-0477 (bmo#718573) Potential XSS     through ISO-2022-KR/ISO-2022-CN decoding issues

  - MFSA 2012-30/CVE-2012-0478 (bmo#727547) Crash with WebGL     content using textImage2D

  - MFSA 2012-31/CVE-2011-3062 (bmo#739925) Off-by-one error     in OpenType Sanitizer

  - MFSA 2012-32/CVE-2011-1187 (bmo#624621) HTTP     Redirections and remote content can be read by     JavaScript errors

  - MFSA 2012-33/CVE-2012-0479 (bmo#714631) Potential site     identity spoofing when loading RSS and Atom feeds

  - added mozilla-libnotify.patch to allow fallback from     libnotify to xul based events if no notification-daemon     is running

  - gcc 4.7 fixes

  - mozilla-gcc47.patch

  - disabled crashreporter temporarily for Factory

  - recommend libcanberra0 for proper sound notifications

Changes in MozillaThunderbird :

  - update to Thunderbird 12.0 (bnc#758408)

  - MFSA 2012-20/CVE-2012-0467/CVE-2012-0468 Miscellaneous     memory safety hazards

  - MFSA 2012-22/CVE-2012-0469 (bmo#738985) use-after-free     in IDBKeyRange

  - MFSA 2012-23/CVE-2012-0470 (bmo#734288) Invalid frees     causes heap corruption in gfxImageSurface

  - MFSA 2012-24/CVE-2012-0471 (bmo#715319) Potential XSS     via multibyte content processing errors

  - MFSA 2012-25/CVE-2012-0472 (bmo#744480) Potential memory     corruption during font rendering using cairo-dwrite

  - MFSA 2012-26/CVE-2012-0473 (bmo#743475)     WebGL.drawElements may read illegal video memory due to     FindMaxUshortElement error

  - MFSA 2012-27/CVE-2012-0474 (bmo#687745, bmo#737307) Page     load short-circuit can lead to XSS

  - MFSA 2012-28/CVE-2012-0475 (bmo#694576) Ambiguous IPv6     in Origin headers may bypass webserver access     restrictions

  - MFSA 2012-29/CVE-2012-0477 (bmo#718573) Potential XSS     through ISO-2022-KR/ISO-2022-CN decoding issues

  - MFSA 2012-30/CVE-2012-0478 (bmo#727547) Crash with WebGL     content using textImage2D

  - MFSA 2012-31/CVE-2011-3062 (bmo#739925) Off-by-one error     in OpenType Sanitizer

  - MFSA 2012-32/CVE-2011-1187 (bmo#624621) HTTP     Redirections and remote content can be read by     JavaScript errors

  - MFSA 2012-33/CVE-2012-0479 (bmo#714631) Potential site     identity spoofing when loading RSS and Atom feeds

  - update Enigmail to 1.4.1

  - added mozilla-revert_621446.patch

  - added mozilla-libnotify.patch (bmo#737646)

  - added mailnew-showalert.patch (bmo#739146)

  - added mozilla-gcc47.patch and mailnews-literals.patch to     fix compilation issues with recent gcc 4.7

  - disabled crashreporter temporarily for Factory (gcc 4.7     issue)

Changes in seamonkey :

  - update to SeaMonkey 2.9 (bnc#758408)

  - MFSA 2012-20/CVE-2012-0467/CVE-2012-0468 Miscellaneous     memory safety hazards

  - MFSA 2012-22/CVE-2012-0469 (bmo#738985) use-after-free     in IDBKeyRange

  - MFSA 2012-23/CVE-2012-0470 (bmo#734288) Invalid frees     causes heap corruption in gfxImageSurface

  - MFSA 2012-24/CVE-2012-0471 (bmo#715319) Potential XSS     via multibyte content processing errors

  - MFSA 2012-25/CVE-2012-0472 (bmo#744480) Potential memory     corruption during font rendering using cairo-dwrite

  - MFSA 2012-26/CVE-2012-0473 (bmo#743475)     WebGL.drawElements may read illegal video memory due to     FindMaxUshortElement error

  - MFSA 2012-27/CVE-2012-0474 (bmo#687745, bmo#737307) Page     load short-circuit can lead to XSS

  - MFSA 2012-28/CVE-2012-0475 (bmo#694576) Ambiguous IPv6     in Origin headers may bypass webserver access     restrictions

  - MFSA 2012-29/CVE-2012-0477 (bmo#718573) Potential XSS     through ISO-2022-KR/ISO-2022-CN decoding issues

  - MFSA 2012-30/CVE-2012-0478 (bmo#727547) Crash with WebGL     content using textImage2D

  - MFSA 2012-31/CVE-2011-3062 (bmo#739925) Off-by-one error     in OpenType Sanitizer

  - MFSA 2012-32/CVE-2011-1187 (bmo#624621) HTTP     Redirections and remote content can be read by     JavaScript errors

  - MFSA 2012-33/CVE-2012-0479 (bmo#714631) Potential site     identity spoofing when loading RSS and Atom feeds

  - update to 2.9b4

  - added mozilla-sle11.patch and add exceptions to be able     to build for SLE11/11.1

  - exclude broken gl locale from build

  - fixed build on 11.2-x86_64 by adding     mozilla-revert_621446.patch

  - added mozilla-gcc47.patch and mailnews-literals.patch to     fix compilation issues with recent gcc 4.7

The remote host is affected by the vulnerability described in GLSA-201301-01 (Mozilla Products: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Mozilla Firefox,       Thunderbird, SeaMonkey, NSS, GNU IceCat, and XULRunner. Please review the       CVE identifiers referenced below for details.
  Impact :

    A remote attacker could entice a user to view a specially crafted web       page or email, possibly resulting in execution of arbitrary code or a       Denial of Service condition. Furthermore, a remote attacker may be able       to perform Man-in-the-Middle attacks, obtain sensitive information,       bypass restrictions and protection mechanisms, force file downloads,       conduct XML injection attacks, conduct XSS attacks, bypass the Same       Origin Policy, spoof URL&rsquo;s for phishing attacks, trigger a vertical       scroll, spoof the location bar, spoof an SSL indicator, modify the       browser&rsquo;s font, conduct clickjacking attacks, or have other unspecified       impact.
    A local attacker could gain escalated privileges, obtain sensitive       information, or replace an arbitrary downloaded file.
  Workaround :

    There is no known workaround at this time.

Use-after-free vulnerability in Mozilla Firefox 10.x before 10.0.1, Thunderbird 10.x before 10.0.1, and SeaMonkey 2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger failure of an nsXBLDocumentInfo::ReadPrototypeBindings function call, related to the cycle collector's access to a hash table containing a stale XBL binding (CVE-2012-0452).

The installed version of Thunderbird 10.x is earlier than 10.0.1 and is, therefore, potentially affected by a memory corruption vulnerability. 

A use-after-free error exists in the method 'nsXBLDocumentInfo::ReadPrototypeBindings' and XBL bindings are not properly removed from a hash table in the event of failure.  Clean-up processes may then attempt to use this data and cause application crashes.  These application crashes are potentially exploitable.

The installed version of Firefox is earlier than 10.0.1 and is, therefore, potentially affected by a memory corruption vulnerability. 

A use-after-free error exists in the method 'nsXBLDocumentInfo::ReadPrototypeBindings' and XBL bindings are not properly removed from a hash table in the event of failure.  Clean-up processes may then attempt to use this data and cause application crashes.  These application crashes are potentially exploitable.

Versions of Firefox 10.x earlier than 10.0.1 are potentially affected by a memory corruption vulnerability.  A use-after-free error exists in the method 'nxXBLDocumentInfo::ReadPrototypeBindings' and XBL bindings are not properly removed from a hash table in the event of failure.  Clean up processes may then attempt to use this data and cause application crashes.  These application crashes are potentially exploitable.

Versions of Firefox 10.x prior to 10.0.1 are affected by a memory corruption vulnerability. A use-after-free error exists in the method 'nxXBLDocumentInfo::ReadPrototypeBindings' and XBL bindings are not properly removed from a hash table in the event of failure. Clean up processes may then attempt to use this data and cause application crashes. These application crashes are potentially exploitable.

Nicolas Gregoire and Aki Helin discovered that when processing a malformed embedded XSLT stylesheet, Thunderbird can crash due to memory corruption. If the user were tricked into opening a specially crafted page, an attacker could exploit this to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Thunderbird. (CVE-2012-0449)

It was discovered that memory corruption could occur during the decoding of Ogg Vorbis files. If the user were tricked into opening a specially crafted file, an attacker could exploit this to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Thunderbird. (CVE-2012-0444)

Tim Abraldes discovered that when encoding certain image types the resulting data was always a fixed size. There is the possibility of sensitive data from uninitialized memory being appended to these images. (CVE-2012-0447)

It was discovered that Thunderbird did not properly perform XPConnect security checks. An attacker could exploit this to conduct cross-site scripting (XSS) attacks through web pages and Thunderbird extensions.
With cross-site scripting vulnerabilities, if a user were tricked into viewing a specially crafted page, a remote attacker could exploit this to modify the contents, or steal confidential data, within the same domain. (CVE-2012-0446)

It was discovered that Thunderbird did not properly handle node removal in the DOM. If the user were tricked into opening a specially crafted page, an attacker could exploit this to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Thunderbird. (CVE-2011-3659)

Alex Dvorov discovered that Thunderbird did not properly handle sub-frames in form submissions. An attacker could exploit this to conduct phishing attacks using HTML5 frames. (CVE-2012-0445)

Ben Hawkes, Christian Holler, Honza Bombas, Jason Orendorff, Jesse Ruderman, Jan Odvarko, Peter Van Der Beken, Bob Clary, and Bill McCloskey discovered memory safety issues affecting Thunderbird. If the user were tricked into opening a specially crafted page, an attacker could exploit these to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Thunderbird. (CVE-2012-0442, CVE-2012-0443)

Andrew McCreight and Olli Pettay discovered a use-after-free vulnerability in the XBL bindings. An attacker could exploit this to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Thunderbird.
(CVE-2012-0452)

Jueri Aedla discovered that libpng, which is in Thunderbird, did not properly verify the size used when allocating memory during chunk decompression. If a user or automated system using libpng were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or execute code with the privileges of the user invoking the program. (CVE-2011-3026).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Mozilla Firefox was updated to 10.0.1 to fix critical bugs and security issue.

The following security issue has been fixed :

  - Mozilla developers Andrew McCreight and Olli Pettay     found that ReadPrototypeBindings will leave a XBL     binding in a hash table even when the function fails. If     this occurs, when the cycle collector reads this hash     table and attempts to do a virtual method on this     binding a crash will occur. This crash may be     potentially exploitable. (CVE-2012-0452)

Firefox 9 and earlier are not affected by this vulnerability.

https://www.mozilla.org/security/announce/2012/mfsa2012-10.html

Andrew McCreight and Olli Pettay discovered a use-after-free vulnerability in the XBL bindings. An attacker could exploit this to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox.
(CVE-2012-0452).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The installed version of SeaMonkey is earlier than 2.7.1.  Such versions are potentially affected by a memory corruption vulnerability. 

A use-after-free error exists in the method 'nsXBLDocumentInfo::ReadPrototypeBindings' and XBL bindings are not properly removed from a hash table in the event of failure.  Clean up processes may then attempt to use this data and cause application crashes.  These application crashes are potentially exploitable.

The installed version of Thunderbird 10.x is earlier than 10.0.1 and is, therefore, potentially affected by a memory corruption vulnerability. 

A use-after-free error exists in the method 'nsXBLDocumentInfo::ReadPrototypeBindings' and XBL bindings are not properly removed from a hash table in the event of failure.  Clean up processes may then attempt to use this data and cause application crashes.  These application crashes are potentially exploitable.

The installed version of Firefox 10.x is earlier than 10.0.1 and is, therefore, potentially affected by a memory corruption vulnerability. 

A use-after-free error exists in the method 'nsXBLDocumentInfo::ReadPrototypeBindings' and XBL bindings are not properly removed from a hash table in the event of failure.  Clean up processes may then attempt to use this data and cause application crashes.  These application crashes are potentially exploitable.

The Mozilla Project reports :

MFSA 2012-10 use after free in nsXBLDocumentInfo::ReadPrototypeBindings

Versions of Thunderbird 10.x earlier than 10.0.1 are potentially affected by a use-after-free error in the method 'nsXBLDocumentInfo::ReadPrototypeBindings' and XBL bindings are not properly removed from a hash table in the event of failure.  Clean up processes may then attempt to use this data and cause application crashes.  These application crashes are potentially exploitable.

Versions of SeaMonkey 2.x earlier than 2.7.1 are potentially affected by a memory corruption vulnerability.  A use-after-free error exists in the method 'nsXBLDocumentInfo::ReadPrototypeBindings' and XBL bindings are not properly removed from a hash table in the event of failure.  Clean up processes may then attempt to use this data and cause application crashes.  These application crashes are potentially exploitable.

Mozilla Thunderbird version 10.0 is affected by a use-after-free error in the method 'nsXBLDocumentInfo::ReadPrototypeBindings' and XBL bindings are not properly removed from a hash table in the event of failure. Clean up processes may then attempt to use this data and cause application crashes. These application crashes are potentially exploitable.

ID	Name	Product	Family	Severity
76027	openSUSE Security Update : seamonkey (seamonkey-5804)	Nessus	SuSE Local Security Checks	high
75952	openSUSE Security Update : MozillaFirefox (MozillaFirefox-5799)	Nessus	SuSE Local Security Checks	high
74857	openSUSE Security Update : MozillaFirefox / MozillaThunderbird / seamonkey / etc (openSUSE-2012-92)	Nessus	SuSE Local Security Checks	high
74612	openSUSE Security Update : MozillaFirefox / MozillaThunderbird / seamonkey / etc (openSUSE-SU-2012:0567-1)	Nessus	SuSE Local Security Checks	critical
63402	GLSA-201301-01 : Mozilla Products: Multiple vulnerabilities (BEAST)	Nessus	Gentoo Local Security Checks	critical
61944	Mandriva Linux Security Advisory : mozilla-thunderbird (MDVSA-2012:018)	Nessus	Mandriva Local Security Checks	high
58071	Thunderbird 10.x < 10.0.1 Memory Corruption (Mac OS X)	Nessus	MacOS X Local Security Checks	high
58070	Firefox < 10.0.1 Memory Corruption (Mac OS X)	Nessus	MacOS X Local Security Checks	high
801298	Mozilla Firefox 10.x < 10.0.1 Memory Corruption	Log Correlation Engine	Web Clients	high
6324	Mozilla Firefox 10.x < 10.0.1 Memory Corruption	Nessus Network Monitor	Web Clients	high
58037	Ubuntu 11.10 : thunderbird vulnerabilities (USN-1369-1)	Nessus	Ubuntu Local Security Checks	critical
57971	SuSE 11.1 Security Update : Mozilla Firefox (SAT Patch Number 5807)	Nessus	SuSE Local Security Checks	high
57970	SuSE 11.1 Security Update : Mozilla Firefox (SAT Patch Number 5807)	Nessus	SuSE Local Security Checks	high
57934	Ubuntu 10.04 LTS / 10.10 / 11.04 / 11.10 : firefox vulnerability (USN-1360-1)	Nessus	Ubuntu Local Security Checks	high
57921	SeaMonkey < 2.7.1 Memory Corruption	Nessus	Windows	high
57920	Mozilla Thunderbird 10.x < 10.0.1 Memory Corruption	Nessus	Windows	high
57919	Firefox 10.x < 10.0.1 Memory Corruption	Nessus	Windows	high
57912	Mandriva Linux Security Advisory : firefox (MDVSA-2012:017)	Nessus	Mandriva Local Security Checks	high
57911	FreeBSD : mozilla -- use-after-free in nsXBLDocumentInfo::ReadPrototypeBindings (eba9aa94-549c-11e1-b6b7-0011856a6e37)	Nessus	FreeBSD Local Security Checks	high
801319	Mozilla Thunderbird 10.x < 10.0.1 Memory Corruption	Log Correlation Engine	Web Clients	high
801232	Mozilla SeaMonkey 2.x < 2.7.1 Memory Corruption	Log Correlation Engine	Web Clients	high
6328	SeaMonkey 2.x < 2.7.1 Memory Corruption	Nessus Network Monitor	Web Clients	high
6326	Mozilla Thunderbird 10.x < 10.0.1 Memory Corruption	Nessus Network Monitor	SMTP Clients	high

Detections

Analytics

CVE-2012-0452

high

Tenable Plugins

high

high

high

critical

critical

high

high

high

high

high

critical

high

high

high

high

high

high

high

high

high

high

high

high